BAN Logic A Logic of Authentication

Transcription

1 BAN Logic A Logic of Authentication Sape J. Mullender Huygens Systems Research Laboratory Universiteit Twente Enschede 1

2 BAN Logic The BAN logic was named after its inventors, Mike Burrows, Martín Abadí, and Roger Needham. The logic is, as they stated, a logic of belief and action. It contains no logical inversions; therefore it cannot be used to prove a protocol flawed. But when proof that a protocol is correct cannot be obtained, that protocol deserves to be treated with grave suspicion. 2

3 Notation The logic reasons about beliefs. If Alice believes a proposition P, we write A P and say A believes P. Alice believes that K AT is a good key for communicating with Trent. This is expressed as A A K AT T ; we say A believes K AT is a good key for A and T. Trent acts as authentication server or certification authority in many of the protocols analyzed by BAN logic. If Alice believes that Trent can be trusted to create a good key for communication with Bob, we write A T A K ; we say A believes T has jurisdiction over or speaks for good keys for A and B. 3

4 Messages When Alice receives a message (which, in our logic, always contains a proposition), we write A P and say A sees P. Seeing is not believing unless you know who said it. Note that, in this logic, nobody says anything he or she does not believe. If Alice sent a message containing the statement P, we may write A P and say A once said P. But, Alice may have said it so long ago that we can no longer trust the contents of her message. We need to know that Alice s statement is fresh. When a statement P is fresh we write #(P) and say P is fresh. 4

5 Notation Summary P X P X P X #(P) P X P believes X P sees X P once said X P is fresh P has jurisdiction over X P K Q K is a good key for communicating between K P P and Q P has K as a public key P X Q X Y X is a secret known only to P and Q X combined with (secret) Y 5

6 Axioms We adopt the notation in the BAN papers: P Q then Q is true. means if P is true We assume that participants in protocols are good logicians: if Alice believes a proposition X and X, then she believes Y Y too. This is true for the axioms also. 6

7 Message meaning rules P P K Q, P {X} K P Q X P K Q, P {X} K 1 P Q X P P Y Q, P X Y P Q X 7

8 Nonce Verification P #(X), P Q X P Q X 8

9 Jurisdiction Rule P Q X, P Q X P X 9

10 More Rules P X, P Y P (X, Y ) P (X, Y ) P X P Q (X, Y ) P Q X P Q (X, Y ) P Q X 10

11 And More P (X, Y ) P X P X Y ) P X P P K Q, P {X} K P X 11

12 And More P K P, P {X} K P X P K Q, P {X} K 1 P X P #(X) A #((X, Y )) 12

13 Analysis of Protocols Most analyses start with assumptions such as A A K AT T A T A K AB B B K BT T B T B K AB A #(N A ) B #(N B ) T A K AB and need to conclude with A A K AB B A K AB A B A K AB B A A K AB 13

14 The Ottway-Rees Authentication Protocol 1. M, A, B, {N A, M, A, B} KAT 2. M, A, B, {N A, M, A, B} KAT, {N B, M, A, B} KBT 3. M, {N A, K AB } KAT, {N B, K AB } KBT 4. M, {N A, K AB } KAT 14

15 Analysis The Protocol 1. M, A, B, {N A, M, A, B} KAT {N A, N C } KAS 2. M, A, B, {N A, M, A, B} KAT, {N B, M, A, B} KBT {N A, N C } KAS, {N B, N C } KBS 3. M, {N A, K AB } KAT, {N B, K AB } KBT {N A, A K AB, B N C } KAT, {N B, A K AB, A N C } KBT 4. M, {N A, K AB } KAT {N A, A K AB, B N C } KAT 15

16 Analysis Assumptions A A K AT T T A K AT T B B K BT T T B K BT T T A K AB A T A K AB A T B X B T B K AB B T A X A #(N A ) B #(N B ) A #(N C ) 16

17 Analysis Derivations B {N B, A K AB } KBT, B B K BT T B T N B, A K AB B {N B, A K AB } KBT, B #(N B ) B #(A K AB ) B T A K AB, B B T A K AB #(A K AB ) B T A K AB, B T A K AB B A K AB 17

18 Analysis Conclusion Similarly, we derive A A K AB. We can also derive but we can only prove A B N C, B A N C. N A is not needed, N C can be used instead. 18

19 the Needham-Schroeder Protocol 1. A, B, N A 2. {N A, B, K AB, {A, K AB } KBT } KAT 3. {A, K AB } KBT 4. {N B } KAB 5. {N B 1} KAB 19

20 Needham-Schroeder Analysed Assumptions: T A K AB A A K AT T T A K AT T B B K BT T T B K BT T A T A K AB A T #(K AB ) B T B K AB A #(N A ) B #(N B ) T #(K AB ) B #(A K ) 20

21 Messages 1. A, B, N A 2. {N A, B, K AB, {A, K AB } KBT } KAT 3. {A, K AB } KBT {N A, A K AB, #(A K AB ), {A K AB } KBT } KAT {A K AB } KBT 4. {N B } KAB 5. {N B 1} KAB {N B, A K AB } KAB f r omb {N B, A K AB } KAB f r oma 21

22 Analysis As in the Ottway-Rees protocol, we have the message for Alice saying {N A, A K AB } KAT, so we can prove in an identical manner A A K AB. But Bob gets no message linking Trent s statement A K AB to something he knows to be fresh. B T A K AB. We cannot get beyond 22

23 Needham-Schroeder Exposed This exactly puts the finger on the weakness in the Needham- Schroeder protocol: Mallory could record Alice and Bob s key exchange and trick Bob into accepting the key in Message 3 any time he chooses. Mallory will be thwarted, however, when he cannot respond to Bob s Message 4. But if he can afford to spend a year of CPU time cracking K AB, he can get Bob to accept and use a year-old key. 23